漏洞描述
WordPress Drag and Drop Multiple File Upload for WooCommerce插件1.1.6及以下版本存在任意文件上传漏洞,由于upload()函数未对用户提供的supported_type字符串和上传文件名进行真实扩展名或MIME类型检查,未经身份验证的攻击者可上传任意文件到受影响站点的服务器,可能导致远程代码执行。
WordPress Drag and Drop Multiple File Upload for WooCommerce dnd_codedropz_upload_wc 文件上传漏洞(CVE-2025-4403)
日期: 2026-01-23
| 影响软件: WordPress Drag and Drop Multiple File Upload for WooCommerce dnd_codedropz_upload_wc
| POC: 否
PoC代码
暂无相关漏洞推荐
- WordPress Broken Link Notifier /wp-admin/admin-ajax.php blnotifier_blinks 服务器端请求伪造漏洞(CVE-2025-6851)
- POC CVE-2024-29137: WordPress Tourfic Plugin <= 2.11.7 - Cross-Site Scripting
- POC CVE-2025-46349: YesWiki Reflected XSS via File Upload
- POC wordpress-meta-box-fpd: WordPress Meta Box - Full Path Disclosure
- POC wp-add-search-to-menu-fpd: WordPress Ivory Search - Full Path Disclosure
- POC wp-advanced-iframe-fpd: WordPress Advanced iFrame - Full Path Disclosure
- POC wp-advanced-responsive-video-embedder-fpd: WordPress Advanced Responsive Video Embedder - Full Path Disclosure
- POC wp-ajax-load-more-anything-fpd: WordPress Load More Anything - Full Path Disclosure
- POC wp-ajax-search-lite-fpd: WordPress Ajax Search Lite - Full Path Disclosure
- POC wp-all-in-one-seo-pack-fpd: WordPress All in One SEO Pack - Full Path Disclosure
- POC wp-astra-fpd: WordPress Astra - Full Path Disclosure
- POC wp-better-wp-security-fpd: WordPress Plugin iThemes Security - Full Path Disclosure
- POC wp-call-now-button-fpd: WordPress Call Now Button - Full Path Disclosure